Openvpn, 2-way tunnel (=reverse connection -from openvpn-ser

Ask questions about your Access Server configuration here.
Post Reply
janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Openvpn, 2-way tunnel (=reverse connection -from openvpn-ser

Post by janhoedt » Mon Oct 24, 2011 9:04 am

Hi,

My tunnel seems to work correctly. I'm connecting from 10.101.160.x to 192.168.1.x where I get an 192.168.33.x vpn-range.

However, now I would like to connect from the network I connect to (192.168.1.x, to the network I'm connecting from.
Network I'm connecting from = 10.101.160.x but there are also other 10.x.x.x-networks so I would like all private 10-ranges to be forwareded through my vpn.
The OS on which my openvpn runs is a Synology (so Linux). I already tried to add a static route:
> route add -net 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2

But a traceroute to a 10.100.4.x-address does not work. When this would work, I could add a static route to my router in the network, which point to the openvpn-server, and there would be a to-way-tunnel ...

Thanks for your help!

Routes on openvpn-server:
-------------------------
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.33.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.33.0 192.168.33.2 255.255.255.0 UG 0 0 0 tun0
10.100.4.0 192.168.33.2 255.255.255.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0



OPENVPN-SERVER:
----------------
#push "redirect-gateway def1"


#route 10.0.0.0 255.0.0.0 net_gateway
#route 172.16.0.0 255.240.0.0 net_gateway
#route 192.168.0.0 255.255.0.0 net_gateway

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.33.0 255.255.255.0"
dev tun

management 192.168.1.6 1195

server 192.168.33.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~
~
~
~
~
- /usr/syno/etc/synovpn/openvpn/openvpn.conf 23/40 57%

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janjust » Wed Oct 26, 2011 12:25 pm

the openvpn server needs to know that the 10.100 network is "behind" the openvpn client. Read up on
http://openvpn.net/index.php/open-sourc ... html#scope
for details. You'll need to create a CCD file containing the right routing information.

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Wed Oct 26, 2011 2:15 pm

Thanks, however it looks as this is to setup connection from the client network to be able to reach the desination (openvpn)-server whereas I want the destination-network (where openvpn-server is) to be able to connect to client-network.

In other words: client vpn = 10.101.160.x, vpn-server = 192.168.1.x (vpn-address = 192.168.33.x)
=> I would like 192.168.1.x-addresses to 10.101.160.x-addresses.

Note: however, 10.101.160.x-addreses other than the client should not be able to connect over vpn(!)
Appreciate your feedback.
J.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janjust » Wed Oct 26, 2011 2:22 pm

read the HOWTO article again carefully: it does explain how to reach clients on a network behind an OpenVPN client.

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Wed Oct 26, 2011 6:36 pm

Ok, thanks. I had a closer look, but not all is clear to me. I commented in red, your comment would be highly appreciated!


Expanding the scope of the VPN to include additional machines on either the client or server subnet.
For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the serverdirective in the OpenVPN server configuration file.
Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
=> what is TUN/TAP? Do I need it here?

For this example, we will assume that the client LAN is using the 192.168.4.0/24 subnet, and that the VPN climachine on the client LAN can communicate with any machine on the server LAN through the VPN.ent is using a certificate with a common name of client2. Our goal is to set up the VPN so that any

Before setup, there are some basic prerequisites which must be followed:
The client LAN subnet (192.168.4.0/24 in our example) must not be exported to the VPN by the server or any other client sites which are using the same subnet. Every subnet which is joined to the VPN via routing must be unique.
The client must have a unique Common Name in its certificate ("client2" in our example), and the duplicate-cnflag must not be used in the OpenVPN server configuration file.
=> I have a certificate which was made by Synology, don't want to spend time to make 1 by myself for now, can this be done? I don't know how to extract/find the name within the certificate/chek or uncheck the duplicate cn-flag ...First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
=> What is it, how/where this is done?
Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:
client-config-dir ccd
=> is this a line within the server config or a command line on the openvpn-server?In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. On Linux this tends to be/etc/openvpn and on Windows it is usually \Program Files\OpenVPN\config. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client.

The next step is to create a file called client2 in the ccddirectory. This file should contain the line:
iroute 192.168.4.0 255.255.255.0
This will tell the OpenVPN server that the 192.168.4.0/24subnet should be routed to client2.
=> Can I add more routes to this file? For example
iroute 10.100.4.0
iroute ...
Next, add the following line to the main server config file (not the ccd/client2 file):
route 192.168.4.0 255.255.255.0

[color=#FFF0000]=> For linux this would be on the NAS-server config?
route add -net 10.100.4.0 netmask 255.255.255.0 gw 'gateway of vpn' "?[/color]Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) whileiroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Thu Oct 27, 2011 6:18 am

Ok, I found the common name in the certificate. However it is with spaces, could that be an issue? I have to create a file name with spaces on Linux ...(?):

CN = Synology Inc CAL

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Thu Oct 27, 2011 6:38 am

I have created the folder, but if I create the file, I get this:

DS> touch "Synology Inc CA"
DS> vi Synology\ Inc\ CA

Doesn't seem right, does it?

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Thu Oct 27, 2011 6:52 am

Update:

I tried to make the file with single quotes and the file seems to show up correctly:

DS> ls
Synology Inc. CA openvpn.conf server.conf
keys radiusplugin.cnf

---
The route-line is also there:

route 10.100.4.0 255.255.255.0

---
Now when I want to add a route to my Linux NAS machine, I get this:

DS> route add 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
route: netmask 0000ffff and host route conflict

Furthermore I guess I have also to enable some kind of routing on the client connecting, but that's not clear to me (TUN/TAP-forwarding)?

Thanks a bunch for your help!

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janjust » Thu Oct 27, 2011 9:10 am

Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
=> what is TUN/TAP? Do I need it here?
the VPN uses a tun or tap networking interface ; you need to make sure that traffic is forwarded between the tun (or tap) interface and the rest of the system; for this you need
- ip_forward to be enabled (do a 'cat /proc/sys/net/ipv4/ip_forward' to check)
- iptables rules if required to allow forwarding; alternatively , disable iptables for now
=> I have a certificate which was made by Synology, don't want to spend time to make 1 by myself for now, can this be done? I don't know how to extract/find the name within the certificate/chek or uncheck the duplicate cn-flag ...
yes this can be done but you need to get the Synology root CA certificate (which should be publicly available somewhere).
=> is this a line within the server config or a command line on the openvpn-server
normally this is a server config line ; make sure you use an absolute path for the directory, e.g.

Code: Select all

client-config-dir /usr/local/synovpn/etc/openvpn/ccd
and make sure this directory is world readable
=> Can I add more routes to this file? For example
iroute 10.100.4.0
iroute ..
you can add as many iroutes in the CCD file as the system can handle
DS> touch "Synology Inc CA"
DS> vi Synology\ Inc\ CA

Doesn't seem right, does it?
yep, that's OK, but the name of a CA cert file does not need to be the same as the CA name itself; you could use 'ca.crt' as well.
DS> route add 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
route: netmask 0000ffff and host route conflict
I'd try something like

Code: Select all

 route add -net 10.100.4.0/24 gw 192.168.33.2

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Thu Oct 27, 2011 3:45 pm

Thanks a million for this kind of support/quick feedback.

I've really been digging into it. Could you be so kind to comment where you see necessary?


Routing from LAN NAS-server to client-vpn:
--------------------------------------------

1.Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.

*IP forward:
echo 1 > /proc/sys/net/ipv4/ip_forward
-
Checked if this is activated:
DS> cat /proc/sys/net/ipv4/ip_forward
1
! NOTE: iptables is not active:
DS> iptables -L INPUT #
Chain INPUT (policy ACCEPT)
target prot opt source destination

Explanation mentions:
Also make sure that your network interface is in promiscuous mode.
=> What is the impact of doing this & how to do this, won't it work without activating this?

*TUN/TAP forwarding:
=> no idea where to start, no guidelines found how to activate this, is it necessary?

Note: the manual mentions:
'One of the benefits of using ethernet bridging is that you get this for free without needing any additional

configuration.'
=> Would that be a better option in my case?

2.Manual references to use the common name of the client in the certificate, I guess this is CN= ...?
Changed the name to ca.crt (see 6.)


3.Prerequisites to be met:
-The client must have a unique Common Name in its certificate ("client2" in our example): ok => ca.crt (not sure?)
-The duplicate-cnflag must not be used in the OpenVPN server configuration file.
=> How to do this?

4.First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
=> how to do this, didn't find info back

5.Add line client-config-dir ccd (client-config-dir /usr/local/synovpn/etc/openvpn/ccd)
=> done
on linux machine:
mkdir ccd
You mention: "make sure this directory is world readable"
=> how can I check if it is?

6.create clientfile
=> see above, name is made with command between single brackets
The name of a CA cert file does not need to be the same as the CA name itself; you could use 'ca.crt' as well
=> ca.crt is in /usr/local/synovpn/etc/openvpn/ccd

DS> ls /usr/local/synovpn/etc/openvpn
ca.crt keys radiusplugin.cnf
ccd openvpn.conf server.conf
-
DS> cd /usr/local/synovpn/etc/openvpn/ccd
DS> ls
ca.crt

vi ca.crt



7.Added lines to ca.crt
iroute 10.100.4.0 255.255.255.0
iroute 10.101.161.0 255.255.255.0

=> done

Note: the ip of the pc-client is the following:
Ethernet adapter Local Area Connection:


IP Address. . . . . . . . . . . . : 10.101.161.129
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.101.161.254

=> Should I use 255.255.254.0 now?

8.Ad the following line to the main server config file (not the ccd/client2 file):
example: route 192.168.4.0 255.255.255.0
=> this does not work for the Linux-machine
=> however this works, but is it correct?:
route add -net 10.101.161.0 netmask 255.255.255.0 gw 192.168.33.2
note: see "Notes" below


9.Quote of you: "You need to get the Synology root CA certificate (which should be publicly available somewhere)"
=> Some confusion now: I need it now to create a certificat myself or can I just use the ca.crt (which is in the configuration) ?


AFTER ADAPTATIONS, should I REBOOT THE SYNOLOGY (LINUX)? I did now, but not sure if it is necessary allways/I can trigger
a refresh (I know I have to make route persistent and have to add it after reboot, still looking how to make it

persistent)

Notes:
------
troubleshooting:

traceroute to 10.101.161.129 (10.101.161.129), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *


=> no input whatsoever where it goes wrong ...




Of this toppic:
----------------
I'm sometimes "stuck in Linux-console", do you know how to get out?
DS> cd \
> cd \
>
>
>
>
=> exit, bye, ctrl + c, nothing works, I just have to reconnect

janhoedt
OpenVPN Power User
Posts: 56
Joined: Wed Sep 21, 2011 3:10 pm

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janhoedt » Sat Nov 05, 2011 7:51 pm

Hi Jan,

I see you're online.
Would you mind getting me on track again? Some tips to help me troubleshooting would be great.

Cheers,
J.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn

Post by janjust » Mon Nov 07, 2011 12:08 am

whoops, this post slipped by me... I wasn't online at that time, BTW.

please add

Code: Select all

  verb 5
to the server log file and restart client and server; there should be a line in the server log when the client CCD file is processed; another quick & dirty debugging trick is to add

Code: Select all

ccd-exclusive
to the server config - if there's anything wrong with the CCD file setup then the client won't be able to connect.

do you have only a single Synology cert? to use CCD files each client much have a unique certificate file.

Post Reply